b'   August 30, 2002\n\n\n\n\nInformation\nSystem Security\n\nGovernment Information Security\nReform Act Implementation:\nDefense Security Assistance\nManagement System\n(D-2002-142)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality              Integrity        Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Inspector\n  General of the Department of Defense at www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit of the Audit Followup and\n  Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or fax\n  (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or fax\n  (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Inspector General of the Department of Defense\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by\n  writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The\n  identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\n\nASD(C3I)              Assistant Secretary of Defense (Command, Control,\n                        Communications, and Intelligence)\nDECC                  Defense Enterprise Computing Center\nDISA                  Defense Information Systems Agency\nDITSCAP               DoD Information Technology Security Certification and\n                        Accreditation Process\nDSAMS                 Defense Security Assistance Management System\nDSCA                  Defense Security Cooperation Agency\nGISR                  Government Information Security Reform\nSSAA                  System Security Authorization Agreement\n\x0c\x0c         Office of the Inspector General of the Department of Defense\nReport No. D-2002-142                                                   August 30, 2002\n  (Project No. D2002LD-0100)\n\n     Government Information Security Reform Act Implementation:\n           Defense Security Assistance Management System\n\n                                Executive Summary\n\nWho Should Read This Report and Why? DoD personnel who are involved in\nimplementing Government Information Security Reform Act (GISRA Act) requirements\nshould read this report. The report discusses our independent assessment of the\ninformation security posture of the Defense Security Assistance Management System, a\nDefense Security Cooperation Agency system.\n\nBackground. To gather data on assessments of the effectiveness of DoD information\nassurance policies, procedures, and practices, DoD developed a GISR Act collection matrix\nfor automated information systems. DoD selected a sample of 560 automated information\nsystems from the almost 4,000 automated information systems in DoD. For those 560\nsystems, DoD reported the aggregate results of the assessments for FY 2001 in \xe2\x80\x9cGISR\nReport FY01: Government Information Security Reform Act, Report of the Department of\nDefense,\xe2\x80\x9d October 2001. Of the 560 systems, the Office of the Inspector General of the\nDepartment of Defense, the Defense Information Systems Agency Inspector General, and\nMilitary Department audit agencies assessed a sample of 115 systems. This report is one in\na series of GISR Act audits and is an assessment of the Defense Security Assistance\nManagement System. The Defense Security Assistance Management System is a mission-\nessential system developed to produce and track security assistance-related contractual\ndocuments (sales agreements between governments).\n\nResults. In our assessment of the Defense Security Assistance Management System, the\nDefense Security Cooperation Agency implementation of GISR Act requirements, as\nreported in the GISR Act collection matrix for FY 2001, was generally accurate as of\nAugust 1, 2001, the date of the FY 2001 collection matrix data, with the exception of one\nresponse regarding hardware and system software maintenance plans. Additionally, there\nwas an outstanding issue related to personnel security that had been addressed in\nInspector General of the Department of Defense Report No. D-2001-141, \xe2\x80\x9cAllegations to\nthe Defense Hotline on the Defense Security Assistance Management System,\xe2\x80\x9d\nJune 19, 2001. We found that contractor employees were continuing development work\non Defense Security Assistance Management System software while their security\nclearances were pending. Although 1 of the 32 responses provided in the collection\nmatrix was inaccurate, we concluded that the Defense Security Cooperation Agency was\nfollowing the standard DoD process to certify and accredit the system. As a result, the\nDefense Security Cooperation Agency was making progress toward achieving full\ninformation security accreditation for the Defense Security Assistance Management\nSystem. For details on the audit results, see the Finding section of the report.\n\nManagement Comments. We provided a draft of this report on August 1, 2002. No\nwritten response to this report was required, and none was received. Therefore, we are\npublishing this report in final form.\n\x0cTable of Contents\n\nExecutive Summary                                                          i\n\nBackground                                                                 1\n\nObjectives                                                                 3\n\nFinding\n     Defense Security Assistance Management System Information Security    4\n\nAppendixes\n     A. Scope and Methodology                                             13\n          Prior Coverage                                                  14\n     B. Government Information Security Reform Act Collection Matrix\n          Submission                                                      15\n     C. Report Distribution                                               23\n\x0cBackground\n    Government Information Security Reform. On October 30, 2000, the President\n    signed the Floyd D. Spence National Defense Authorization Act for FY 2001\n    (Public Law 106-398), which includes title X, subtitle G, the \xe2\x80\x9cGovernment\n    Information Security Reform\xe2\x80\x9d (GISR Act). Subtitle G directs that the Government\n    ensure effective controls for highly networked Federal information resources;\n    management and oversight of information security risks; and a mechanism for\n    improved information system security oversight and assurance for Federal\n    information security programs. The GISR Act directs each Federal agency (DoD\n    for purposes of this report) to annually evaluate its information security program\n    and practices and, as part of the budget process, submit the results of the\n    evaluation to the Office of Management and Budget. The GISR Act covers both\n    unclassified and national information security systems and creates a comparable\n    security management framework for each. The GISR Act also requires that the\n    agency Inspector General or other independent agent evaluate the agency\n    information security program and practices. Also, the GISR Act requires each\n    agency Inspector General or other independent agency to select and test a subset of\n    systems that will confirm the effectiveness of the information security programs.\n\n    DoD Responsibilities. The GISR Act directs DoD to annually evaluate its\n    information security program and practices. The DoD uses information\n    technology for thousands of processes that are integral to support and operational\n    functions. Mission-critical, mission-essential, and support-function processes, or\n    applications, reside on computer systems throughout DoD. Applications for the\n    DoD Components include financial accounting; personnel; pay and disbursement;\n    materiel shipping, receiving, and storing; munitions maintenance; and weapon\n    systems-associated applications.\n\n    The GISR Act directs that DoD as part of the budget process submit the results of\n    its annual evaluation to the Office of Management and Budget. Office of\n    Management and Budget guidance, memorandum 01-24, \xe2\x80\x9cReporting Instructions\n    for the Government Information Security Reform Act,\xe2\x80\x9d June 22, 2001, directs the\n    Secretary of Defense to transmit the FY 2001 annual evaluation of information\n    security program and practices to the Office of Management and Budget by\n    October 1, 2001. The Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence) (ASD[C3I]) formed and chaired an Integrated\n    Process Team to develop and finalize the guidance and methodology for DoD\n    reporting of the GISR Act. The GISR Act Integrated Process Team developed a\n    32-column spreadsheet--GISR Act collection matrix--to gather data on\n    assessments of the effectiveness of DoD information assurance policies,\n    procedures, and practices. DoD required the FY 2001 GISR Act collection matrix\n    data completion as of August 1, 2001.\n\n    Inspector General Responsibilities. Office of Management and Budget issued\n    memorandum 01-08, \xe2\x80\x9cGuidance on Implementing the Government Information\n    Security Reform Act,\xe2\x80\x9d in January 2001 to provide implementation instructions for\n    Federal agencies in carrying out the GISR Act. Guidance specific to the duties of\n    each Inspector General as an independent evaluator was also included in that\n    memorandum. The Office of Management and Budget guidance states that each\n\n\n                                        1\n\x0cInspector General or independent evaluator \xe2\x80\x9cshould perform an annual evaluation\nof the agency\xe2\x80\x99s security program and practices. This testing includes testing the\neffectiveness of security controls for an appropriate subset of agency systems.\xe2\x80\x9d\nAlthough the GISR Act applies to all Government information systems, the\nOffice of Management and Budget acknowledged that agencies could not review\nall of those systems every year. As a result, the independent evaluation should\nidentify and assess a logical representative sampling of systems that can be used\nto form the basis of a conclusion regarding the effectiveness of an agency\xe2\x80\x99s\noverall security program.\n\nDoD Systems. The Office of the Inspector General of the Department of Defense\ndeveloped a stratified random sample from the population of automated information\nsystems the DoD evaluated and reported for FY 2001 in the \xe2\x80\x9cGISR Report FY01:\nGovernment Information Security Reform Act, Report of the Department of\nDefense,\xe2\x80\x9d October 2001 (DoD GISR Act Report). DoD selected and reported in the\nDoD GISR Act Report on a sample of 560 automated information systems from the\nalmost 4,000 systems listed in the DoD Information Technology Registry.1 The\nOffice of the Inspector General of the Department of Defense stratified random\nsample included 115 systems from the universe sample of 560 systems that were\nreported on in the DoD GISR Act Report. The audit agencies for the Military\nDepartments and the Defense Information Systems Agency (DISA) Inspector\nGeneral were to evaluate 91 of the 115 information systems in the sample by\nAugust 2, 2002. The Office of the Inspector General of the Department of Defense\nwas to evaluate the remaining 24 systems that support DoD agencies and activities.\nThis report discusses the evaluation of 1 of the 24 DoD-level systems, the Defense\nSecurity Assistance Management System (DSAMS).\n\nDoD Information Security Program. DoD Instruction 5200.40, \xe2\x80\x9cDoD\nInformation Technology Security Certification and Accreditation Process\n(DITSCAP),\xe2\x80\x9d December 30, 1997, provides the procedures for certification and\naccreditation of information technology to include information systems, networks,\nand sites in DoD. It also assigns responsibilities for oversight and\nimplementation of the certification and accreditation process. DITSCAP is to be\nused as guidance throughout the certification and accreditation process. DoD\nManual 8510.1-M, \xe2\x80\x9cDepartment of Defense Information Technology Security\nCertification and Accreditation Process (DITSCAP) Application Manual,\xe2\x80\x9d\nJuly 2000, provides implementation guidance that standardizes the certification\nand accreditation process throughout DoD.\n\n\n\n\n1\n    The Information Technology Registry was established in response to requirements contained in\n    section 8102(a) of the National Defense Appropriation Act for FY 2001 and section 811(a) of\n    the National Defense Authorization Act for FY 2001. The DoD registry must contain all of the\n    fielded mission-critical and mission-essential systems as well as all the mission-critical and\n    mission-essential systems that are in development.\n\n\n\n                                              2\n\x0cObjectives\n    Our overall audit objective was to assess DSAMS for implementation of the\n    GISR Act requirements of the Floyd D. Spence National Defense Authorization\n    Act for FY 2001. See Appendix A for a discussion of the audit scope and\n    methodology and for prior coverage.\n\n\n\n\n                                      3\n\x0c                Defense Security Assistance Management\n                System Information Security\n                Data reported for DSAMS in support of the implementation of the GISR\n                Act requirements for FY 2001 were generally accurate as of\n                August 1, 2001, with the exception of one response regarding hardware\n                and system software maintenance plans. Additionally, there was an\n                outstanding issue related to personnel security that had been addressed in\n                Inspector General of the Department of Defense Report No. D-2001-141,\n                \xe2\x80\x9cAllegations to the Defense Hotline on the Defense Security Assistance\n                Management System,\xe2\x80\x9d June 19, 2001. We found that contractor\n                employees were continuing development work on DSAMS software while\n                their security clearances were pending. However, the Defense Security\n                Cooperation Agency (DSCA)2 was following DITSCAP to certify and\n                accredit DSAMS. As a result, DSCA was making progress in achieving\n                full information security accreditation for DSAMS.\n\nDefense Security Cooperation Agency Mission\n    DSCA provides direction, supervision, and oversight of security cooperation\n    programs in support of U.S. national security and foreign policy objectives. As\n    part of that mission, DSCA manages foreign military sales requests, approvals,\n    funding, payments, and transfers. DSAMS is the automated information system\n    that supports foreign military sales management for DSCA and the Military\n    Departments.\n\nSystem Background\n    DSAMS is a mission-essential3 system developed to produce and track security\n    assistance-related contractual documents (sales agreements between\n    governments). By FY 2004, the DSAMS Program Office expects that DSAMS\n    will also handle planning and execution of security assistance training. DSAMS\n    was originally planned to replace 13 legacy systems operating within DSCA, the\n    Defense Finance and Accounting Service, and the Military Departments. The\n    first module of DSAMS was deployed in February 1998 to the Naval Inventory\n    Control Point, Philadelphia, Pennsylvania; the Navy International Programs\n    Office, Arlington, Virginia; and the Naval Education and Training Security\n    Assistance Field Activity, Pensacola, Florida. The Army began use of DSAMS in\n    December 1998, and the Air Force began use in July 1999. The Defense Finance\n    and Accounting Service became actively engaged with the deployment of the\n    second DSAMS module in August 2000. As of March 2002, DSAMS was\n    installed at 67 user sites.\n\n    2\n        DSCA is the program office for DSAMS and is responsible for the continued development and\n        maintenance of the system.\n    3\n        Mission-essential systems are those systems that are basic and necessary for the accomplishment\n        of an organization\xe2\x80\x99s mission.\n\n\n                                                  4\n\x0c    System Configuration. DSAMS uses client and server architecture,4 and users\n    access DSAMS through a personal computer, software components installed at\n    the user\xe2\x80\x99s site, and the Non-Secure Internet Protocol Router Network connection.\n    The DSAMS application and database reside on a server located at the DISA\n    Defense Enterprise Computing Center (DECC), Oklahoma City, Oklahoma, and\n    employs an Oracle database structure.\n\n    System Operations. DSAMS is an unclassified system but contains sensitive\n    data, such as information about foreign customers\xe2\x80\x99 contracts for materiel and\n    services procured from the U.S. Government. DSAMS was originally planned to\n    facilitate a full life-cycle management system for security assistance-related\n    documents.\n\nData Collection Matrix\n    DSCA provided the response for the DSAMS to ASD(C3I) as of August 1, 2001,\n    and the data reported were generally accurate. In response to the GISR Act\n    requirement for each Federal agency to annually evaluate and report on its\n    information security program and practices, ASD(C3I) developed a GISR Act data\n    collection matrix (the matrix) for DoD. The Assistant Secretary developed the\n    matrix as a management tool to track information assurance trends and outcomes.\n    The matrix consisted of a spreadsheet divided into four sections for data. Section\n    titles included identifying information, accreditation information, assessment\n    criteria information, and operations and assessments interest items.\n\n    In response to the information requested in the matrix, DSCA was generally\n    required to answer yes, no, or provide a date for action completed. With the\n    exception of a special section that could be used for augmenting comments, no\n    other explanation was required or expected. A discussion of each section of the\n    matrix, the data that DSCA reported in the matrix for DSAMS, and our analysis\n    of the data follows. Appendix B contains the information for DSAMS that was\n    reported in the matrix that ASD(C3I) used for the DoD GISR Act Report.\n    Identifying Information. DSCA was requested to provide the system or network\n    name, acronym, component owner, and information technology classification\n    (mission critical or mission essential) in the identifying information section of the\n    matrix. DSCA responded in the matrix that DSAMS was classified as a\n    mission-essential information technology system. We verified that the\n    identification information in the matrix was correct as stated in the DoD\n    Information Technology Registry.\n\n    Accreditation Information. DSCA was requested to provide in the accreditation\n    information section of the matrix the date of accreditation certification, the date of\n    interim certification, the accreditation method, and whether formal documentation\n    for certification and accreditation existed.\n\n    4\n     Client and server architecture is an arrangement in which some software components reside on a\n     central server and other software components reside on a client\xe2\x80\x99s personal computer or\n     workstation separate from the main server.\n\n\n\n                                               5\n\x0c        Accreditation Date. DSCA was requested to provide the date that an\naccreditation process accredited DSAMS. DoD Directive 5200.28, \xe2\x80\x9cSecurity\nRequirements for Automated Information Systems (AISs),\xe2\x80\x9d March 21, 1988,\nestablishes the minimum security requirements for DoD automated information\nsystems. DITSCAP implements the Directive, assigns responsibility, and\nprescribes procedures for certification and accreditation. DSCA responded in the\nmatrix that DSAMS was not accredited. We verified that the DSCA response was\nappropriate. DSCA was working on accrediting DSAMS and its goal was to have\nDSAMS accredited by the end of calendar year 2002.\n\n        Interim Certification Date. DSCA was requested to provide the date that\nan interim authority to operate was granted. According to the provisions of\nDITSCAP, interim authority should be based on the establishment of an acceptable\nlevel of risk in operating the system. DSCA responded in the matrix that an\ninterim authority to operate had not been granted for DSAMS. We verified that\nDSAMS had been operating since calendar year 1998 without accreditation or\ninterim authority to operate. However, on June 13, 2002, DSCA was granted a\n180-day interim authority to operate DSAMS from the DSAMS Designated\nApproval Authority, the Deputy Director of DSCA. DSCA planned to complete\nthe DSAMS certification and accreditation process prior to the expiration of the\n180-day interim authority.\n\n        Accreditation Method. DSCA was requested to identify whether\nDSAMS was accredited under DITSCAP and, if not under DITSCAP, to describe\nother accreditation and certification procedures. Several policies govern actions\nof DSAMS program officials, but DITSCAP is the principal governing document\nfor risk assessment and mitigation of DoD information technology systems.\nDITSCAP establishes the oversight mechanism that ensures identification of\nappropriate information to certify, accredit, and maintain a program\xe2\x80\x99s security.\nDSCA responded in the matrix that DSAMS was not accredited under DITSCAP\nor any other procedures. We verified that DSCA was following DITSCAP\nprocedures to accredit and certify DSAMS but, as of August 1, 2001, DSAMS\nwas not accredited. DSCA plans to receive DITSCAP accreditation by the end of\ncalendar year 2002.\n\n        Certification and Accreditation Documentation. DSCA was requested\nto identify whether formal documentation existed that the Inspector General of the\nDepartment of Defense or other entities could use to verify accreditation.\nDITSCAP requires a System Security Authorization Agreement (SSAA) for each\ninformation technology system. The SSAA is a formal and binding document\namong the system program manager, the Designated Approving Authority, the\nCertifying Authority, and the user representative that establishes the level of\nsecurity required. The SSAA guides the process and documents the results for\ncertification and accreditation as well as implementation of information\ntechnology security requirements. DSCA responded in the matrix that it did not\nhave formal documentation in effect for the DSAMS certification and\naccreditation process. We confirmed that DSCA had not formally documented\nthe DSAMS certification and accreditation process with an SSAA. However,\nsome of the plans, policies, and procedures normally included in an SSAA\nexisted. DSCA planned to complete the development of the SSAA during the\n180-day interim authority to operate.\n\n\n                                    6\n\x0cAssessment Criteria Information. DSCA was requested to confirm that\ninformation assurance controls and plans in the assessment criteria information\nsection of the matrix existed. According to the instructions provided for the\nmatrix, ASD(C3I) developed the assessment criteria information section to assess\nselected systems on the basic program management, controls, and procedures that\nexist as part of the operation of the system.\n\n        Access Controls. DSCA was requested to identify whether access controls\nwere in place. ASD(C3I) defined access controls as controls that limited access of\ninformation system resources to authorized users, programs, processes, or other\nsystems. DSCA responded in the matrix that access controls were in place. We\nverified that DSCA had access controls in place. Those access controls that\nDSAMS used included: users were required to identify themselves during system\nlogin through the use of a protected mechanism (such as passwords) to\nauthenticate user identity and user accounts; user accounts were deactivated after\nthree unsuccessful login attempts; and passwords expired every 90 days.\n\n        Risk Assessment and Management Plan. DSCA was requested to identify\nwhether a risk assessment and management plan had been completed. ASD(C3I)\ndefined risk as the possibility of something adverse happening; risk assessment as\nthe process of analyzing threats and vulnerabilities of an information system, and\nthe potential impact of lost information; and risk management as the process of\nassessing risk, taking steps to reduce risk to an acceptable level, and maintaining\nthat level of risk. DSCA responded in the matrix that a risk assessment and\nmanagement plan was not completed. We verified that when DSCA submitted the\nmatrix data as of August 1, 2001, it had not developed a DSAMS risk assessment\nand management plan. However, since that time, DSCA completed a DSAMS risk\nassessment and developed a DSAMS risk management plan.\n\n       System Life-Cycle Plan. DSCA was requested to identify whether a\nsystem life-cycle plan existed. System life-cycle plan guidance that ASD(C3I)\nprovided with the matrix was that many system life-cycle models exist but most\ncontain five basic phases: initiation, development and acquisition,\nimplementation, operation, and disposal. DSCA responded in the matrix that a\nDSAMS life-cycle plan had not been completed. We confirmed that as of\nAugust 1, 2001, DSCA had not developed a DSAMS life-cycle plan. As of\nJune 2002, a DSAMS life-cycle plan was being developed.\n\n        System Security Plan. DSCA was requested to identify whether a system\nsecurity plan was in place. ASD(C3I) defined a system security plan as an overview\nof the security requirements of a system, a description of the controls in place or the\ncontrols planned for meeting those requirements, and delineation of responsibilities\nand expected behavior of the individuals who access the system. DSCA responded\nin the matrix that a DSAMS security plan had not been completed. We confirmed\nthat as of August 1, 2001, DSCA had not developed a DSAMS security plan.\nHowever, since that time, DSCA developed a system security plan. The system\nsecurity plan, the \xe2\x80\x9cDSAMS End Users Security Guide,\xe2\x80\x9d identifies the security\nmeasures that must be enforced to operate DSAMS so that the system can securely\nprocess sensitive, unclassified information. In addition, the guide documents\nDSAMS information system security personnel responsibilities, security\nmanagement responsibilities, and incident reporting responsibilities.\n\n\n                                      7\n\x0c        Personnel Security Measures. DSCA was requested to identify whether\nproper personnel security measures were in place. ASD(C3I) defined personnel\nsecurity measures as a broad range of security issues related to how human users,\ndesigners, implementers, and managers of software and hardware interact with\ncomputers, and the access and authorities needed to do their jobs. DSCA\nresponded in the matrix that DSAMS had personnel security measures in place.\nWe confirmed that personnel security measures, in the form of access measures,\nwere in place for DSAMS. DSAMS had segregation of duties, with varying\nlevels of access and control for designers, developers, programmers, testers, and\nsystem administrators. DSAMS authorized personnel access to DSAMS through\nthe use of password-protection procedures. DSAMS password-protection\nprocedures require passwords to be changed every 90 days and user accounts to\nbe closed after 180 days of inactivity.\n\n        Although personnel security access measures were in place, another\npersonnel security issue addressed in Report No. D-2001-141 had not been\ncorrected. We found that contractor employees were continuing development work\non DSAMS software while their security clearances were pending. We readdressed\nthat personnel security issue with DSCA in a classified memorandum, \xe2\x80\x9cPotential\nSecurity Risks to Department of Defense Information Systems,\xe2\x80\x9d June 14, 2002.\nThe Audit Followup and Technical Support Directorate, Inspector General of the\nDepartment of Defense, plans to perform follow up action on the personnel security\nissue.\n\n        Physical Security Controls. DSCA was requested to identify whether\nphysical security controls were in place. ASD(C3I) defined physical security and\nenvironment security as the measures taken to protect systems, buildings, and\nrelated supporting infrastructures against threats associated with their physical\nenvironment. DSCA responded in the matrix that DSAMS had physical security\ncontrols in place. We verified that physical security controls were in place. All\nDSAMS equipment (servers and data storage) was secured by DISA at DECC\nOklahoma City,5 where the DSAMS application resides. DECC Oklahoma City\nphysical security controls for DSAMS included that the support and\nadministrative areas were protected by at least one physical barrier and that the\ncomputer room was protected by at least three physical barriers. The Defense\nSecurity Assistance Development Center network, Mechanicsburg, Pennsylvania\n(used to develop DSAMS software) was secured by at least two physical barriers.\n\n        Administrative Controls. DSCA was requested to identify whether\nadministrative controls were in place. ASD(C3I) did not define administrative\ncontrols but suggested that administrative controls included the presence of a help\ndesk and audit trail. Administrative controls are designed to promote operational\nefficiency and adherence to system policies and procedures. DSCA responded in\nthe matrix that DSAMS had administrative controls in place. We verified the\nDSCA response. DSCA had established a help desk and an audit trail for DSAMS.\n\n       Contingency Plans. DSCA was requested to identify whether\ncontingency plans were in place and, if so, when the last time was that a\ncontingency drill, data loss drill, or power loss drill occurred. ASD(C3I) defined\n5\n    The DECC Oklahoma City site received DITSCAP certification and accreditation on September 15, 2000.\n\n\n\n                                            8\n\x0ccontingency planning as involving more than simply planning for a move offsite\nafter a disaster destroys a facility. Contingency planning was to also include how\nto keep an organization\xe2\x80\x99s critical functions operational in the event of disruptions,\nboth large and small. Although DoD Directive 5200.28 requires periodic testing\nof contingency plans for mission-critical systems, the Directive encourages\ncontingency plans for all systems. DSCA responded in the matrix that DSAMS\ndid not have a contingency plan in place and left the date the contingency plan\nwas last exercised blank. We verified that DSCA did not have a complete\nDSAMS contingency plan; however, it did have a year 2000 DSAMS business\ncontingency plan. That contingency plan addressed two business-specific\ncontingencies, short-term loss and prolonged loss of system availability, but did\nnot address site-specific contingencies, such as natural disasters (for example,\nfire, flood, and earthquake), civil disorders, and bomb threats. DSCA was\nrevising the contingency plan to address additional events.\n\nShort-term loss (less than 1 week) of DSAMS availability was addressed through\nusers of the system holding foreign military sales data and the users inputting the\ndata when DSAMS became operational. Prolonged loss (in excess of 1 week) of\nDSAMS availability was addressed with the use of manual methods to process the\nforeign military sales data (typewriters, word processors, faxes, telephones,\ncouriers, and the use of existing reports). When DSAMS becomes operational,\nthe manually processed data would then be inputted. Furthermore, if the DECC\nOklahoma City operations site were to become inoperable, DSAMS would be\nrestored at a DISA backup operations site in Louisiana from the nightly DSAMS\nbackup files. As reported by DSCA, the contingency plan had not been fully\nexercised. However, DSCA had executed parts of the plan, such as the data\nbackup and recovery processes. DISA last exercised DSAMS at the backup\noperations site in June 2002.\n\n       Hardware and System Software Maintenance Plans. DSCA was\nrequested to identify whether hardware and software maintenance plans were in\nplace. ASD(C3I) defined hardware and software maintenance plans as controls\nused for monitoring the installation of, and update to, hardware and software to\nensure that the system functions as expected and that a historical record of\nchanges is maintained. DSCA responded in the matrix that DSAMS had\nhardware and system software maintenance plans in place. However, we\ndetermined that DSAMS did not have hardware and system software maintenance\nplans when the matrix was submitted. DSCA officials agreed that the answer was\nincorrect as of August 1, 2001. As of June 2002, DSAMS had not developed\nhardware and system software maintenance plans.\n\n        Data Integrity Processes. DSCA was requested to identify whether data\nintegrity processes were in place. ASD(C3I) defined data integrity processes as\ncontrols used to protect data from accidental or malicious alteration or destruction\nand used to provide assurance for users that the information met expectations\nabout its quality and integrity. DSCA responded in the matrix that DSAMS had\ndata integrity processes in place. We verified that DSAMS had data integrity\nprocesses. DSAMS was protected by virus detection and communication\nencryption software that guaranteed integrity and confidentiality. The data\nintegrity processes were managed for DSAMS through the use of software controls\nand procedural measures at the DITSCAP-accredited DECC Oklahoma City site.\n\n\n                                      9\n\x0c        Security Incident Response Plan. DSCA was requested to identify\nwhether a security incident response plan was in place. ASD(C3I) defined a\nsecurity incident response plan as a formal description and evaluation of risks to\nan information system, and a process that identified and applied countermeasures\ncommensurate with the value of the assets protected based on a risk assessment.\nAn incident response plan should have help capability when an adverse event in a\ncomputer system or network causes a failure of a security mechanism or when an\nattempted breach of those mechanisms occurs. DSCA responded in the matrix by\nleaving the field blank. We confirmed that DSAMS did not have a security\nincident response plan in place at the time the matrix was submitted. However,\nsince August 1, 2001, DSCA had developed a security incident response plan.\nThe plan provides general guidelines for the systematic response to unauthorized\nintrusions, classified message incidents, malicious code, fraud and theft, errors in\nand omissions of data, employee sabotage and abuse, and denial of service\nincidents.\n\nOperations and Assessments Interest Items. DSCA was requested to identify\nspecific operational assessment mechanisms that existed as part of the operation\nof the system and to provide general comments to augment reporting efforts on\nbasic program management, controls, and procedures. ASD(C3I) did not provide\ndefinitions for reporting elements contained in the operations and assessments\ninterest items section of the matrix. Information contained in that section\nincluded network protections, vulnerabilities, and assessments.\n\n      Network Protections. ASD(C3I) requested data from DSCA on the\nnetwork security functions of intrusion detection systems and firewalls.\n\n               Intrusion Detection Software. DSCA was requested to identify\nwhether intrusion detection software protected the DSAMS. Intrusion detection\nsoftware inspects all inbound and outbound network activity and identifies\nsuspicious patterns that may indicate a network or system attack from someone\nattempting to break into or compromise a system.\n\n               Firewalls. DSCA was requested to identify whether boundary\nprotections, such as firewalls, for DSAMS were present. A firewall is a boundary\nprotection system that limits access between networks to prevent intrusions from\noutside the network. A firewall stops external intrusions but does not detect an\nattack from inside the network.\n\n        DSCA responded in the matrix that DSAMS was protected by intrusion\ndetection software and had boundary protection in place. We confirmed that\nDSAMS was protected by intrusion detection and a firewall at DECC Oklahoma\nCity. DSAMS uses client and server architecture; although DSAMS did not have\nintrusion detection software or firewalls at user sites, the DISA intrusion detection\nsoftware and firewall at DECC Oklahoma City protected the DSAMS data.\n\n        Vulnerabilities. ASD(C3I) requested DSAMS information from DSCA\nconcerning the red and blue team assessment, information assurance vulnerability\nalert process, and the vulnerability analysis and assistance program.\n\n\n\n\n                                     10\n\x0c                Red and Blue Team Assessment. DSCA was requested to identify\nthe date for the most recent red and blue team assessment. According to a\ndictionary and reference guide used by the GISR Act Integrated Process Team, a\nred team is a simulated opposing force that uses active and passive actions, as well\nas technical and non-technical capabilities, to expose and exploit information\noperation vulnerabilities of a blue team (a simulated friendly force). DSCA\nresponded in the matrix that DSAMS had not had a red and blue team assessment.\nWe confirmed that the DSCA response was correct as of August 1, 2001.\nHowever, as part of an FY 2000 security review of DSAMS, the system\xe2\x80\x99s\ndevelopment contractor performed internal penetration testing for vulnerabilities.\nIn addition, DISA had a red and blue team assessment performed for the DECC\nOklahoma site.\n\n                Connections. DSCA was requested to identify whether DSAMS\nhad a connection approval to connect to a larger backbone network. Connections\nare system interfaces to other information systems for the purpose of transmitting\nor receiving data. DSCA responded in the matrix that the DSAMS interface\nconnections were approved. We confirmed that DSCA had a formal DSAMS\nsystem interface agreement with the external Defense Integrated Financial System\nof the Defense Finance and Accounting Service. Additionally, DSCA had system\ninterface specifications for DSCA systems that connected to DSAMS. The\nDSAMS system interface specifications identify and map the data protocols for\nthose internal and external DSCA systems that exchange data with DSAMS.\n\n                Information Assurance Vulnerability Alert. DSCA was\nrequested to identify whether DSAMS was fully information assurance\nvulnerability alert compliant in both acknowledging and adhering to information\nassurance vulnerability alerts. An information assurance vulnerability alert is a\nprocess that incorporates identification and evaluation of new vulnerabilities,\ndisseminates technical responses, and tracks compliance within DoD. Alerts are\ngenerated when a critical vulnerability that poses an immediate threat to DoD\nexists. DSCA responded in the matrix that DSAMS was fully information\nassurance vulnerability alert compliant. We confirmed that the DSCA response\nwas appropriate as of August 1, 2001; DSAMS was information assurance\nvulnerability alert compliant.\n\n               Vulnerability Analysis and Assistance Program. DSCA was\nrequested to identify whether DSAMS had a vulnerability analysis and assistance\nprogram assessment. According to a dictionary and reference guide used by the\nGISR Act Integrated Process Team, a vulnerability analysis and assistance\nprogram was a survey of the Non-Secure Internet Protocol Router Network, the\nSECRET Internet Protocol Router Network, and Joint Worldwide Intelligence\nCommunications System networks for common computer security vulnerabilities.\nDSCA did not provide a response in the matrix. We confirmed that the DSCA\nresponse was appropriate as of August 1, 2001, and as of June 2002, no\nvulnerability analysis and assistance program assessment had been performed.\n\n\n\n\n                                    11\n\x0c           Assessments. DSCA was requested to identify the dates for the most recent:\n\n                   \xe2\x80\xa2   Joint Staff integrated vulnerability assessment,\n\n                   \xe2\x80\xa2   system requirements reviews,\n\n                   \xe2\x80\xa2   balance survivability assessment, and\n\n                   \xe2\x80\xa2   integrated vulnerability assessment.\n\n            DSCA provided no response in the matrix. We confirmed that the DSCA\n    response was correct as of August 1, 2001, because the reporting elements in the\n    section were specific assessments and technical controls that not all systems were\n    required to perform, which included DSAMS. However, in May 2000, DISA\n    performed a system requirements review at DECC Oklahoma City, which\n    included a review of DSAMS.\n\n\nConclusion\n    From our analysis of the data reported in the matrix for DSAMS, we concluded\n    that DSCA was following DITSCAP to certify and accredit DSAMS. Although\n    1 of the 32 matrix responses was incorrect and audit issues from a prior audit\n    remained unresolved, we concluded that DSCA was making progress in achieving\n    full information security accreditation for DSAMS.\n\n\n\n\n                                        12\n\x0cAppendix A. Scope and Methodology\n   Work Performed. We verified and validated the DSAMS data supporting the\n   DoD GISR Act Report. We also performed a review of DSAMS information\n   security controls at the Defense Security Assistance Development Center,\n   Mechanicsburg, Pennsylvania, to validate operational controls. To accomplish\n   the audit objective, we:\n\n          \xe2\x80\xa2   reviewed Public Law 106-398, Office of Management and Budget\n              guidance, and DoD regulations and guidance related to the GISR Act;\n\n          \xe2\x80\xa2   interviewed DSAMS personnel in DSCA who prepared the GISR Act\n              matrix submission;\n\n          \xe2\x80\xa2   verified the information reported on the GISR Act data collection\n              matrix. Our verification consisted of reviewing the documentation\n              that supported the answers DSCA provided on the GISR Act\n              collection matrix as of August 1, 2001;\n\n          \xe2\x80\xa2   interviewed personnel responsible for DSAMS development at the\n              Defense Security Assistance Development Center; and\n\n          \xe2\x80\xa2   reviewed site operations that documented the presence of operational\n              controls at the Mechanicsburg site.\n\n   Limitations to Scope. We limited the audit scope to verification and validation\n   of information in the DSAMS GISR Act collection matrix submitted by DSCA\n   and certification and accreditation progress made since. Additionally, we did not\n   review the management control program because DoD recognized information\n   assurance programs as a material weakness in its FY 2000 Statement of\n   Assurance, which was its most recent, signed Statement of Assurance.\n\n   High-Risk Area. The General Accounting Office has identified several high-risk\n   areas in DoD. This report provides coverage of the Information Security high-\n   risk area.\n\n   Use of Computer-Processed Data. We did not use computer-processed data to\n   perform this audit.\n\n   Audit Dates and Standards. We performed this audit from April through\n   July 2002 in accordance with generally accepted government auditing standards.\n\n   Contacts During the Audit. We visited or contacted individuals and\n   organizations within DoD. Further details are available on request.\n\n\n\n\n                                       13\n\x0cPrior Coverage\n     During the last 5 years, the Inspector General of the Department of Defense has\n     issued two reports discussing DSAMS. Unrestricted Inspector General of the\n     Department of Defense reports can be accessed at\n     http://www.dodig.osd.mil/audit/reports.\n\nInspector General of the Department of Defense (IG DoD)\n     IG DoD Report No. D-2001-141, \xe2\x80\x9cAllegations to the Defense Hotline on the\n     Defense Security Assistance Management System,\xe2\x80\x9d June 19, 2001\n\n     IG DoD Report No. 98-095, \xe2\x80\x9cDefense Security Assistance Management System,\xe2\x80\x9d\n     March 24, 1998\n\n\n\n\n                                        14\n\x0cAppendix B. Government Information Security\n            Reform Act Collection Matrix Submission\n     We evaluated the DSAMS GISR Act collection matrix that DSCA submitted as of\n     August 1, 2001, to ASD(C3I). The following is a summary of the data ASD(C3I)\n     requested, the response from DSCA, and our analysis of the response for 27 of 32 fields on\n     the data collection matrix. We did not include in the matrix below five administrative\n     information data fields that identified the system. A list of acronyms is at the end of this\n     appendix.\n\n                                       Accreditation Information\n\n                                  DSCA\n   Data Requested                Response\xe2\x88\x97                                Audit Results\n\n Accredited? (Date)           No                  DSAMS was not accredited.\n\n                                                  The DSCA goal was to accredit DSAMS by the end\n                                                  of calendar year 2002.\n\n Interim authority to         No                  DSAMS had been operating since February 1998\n operate? (Date)                                  without accreditation or interim authority to operate.\n\n                                                  On June 13, 2002, DSCA was granted a 180-day\n                                                  interim authority to operate DSAMS, from the\n                                                  Designated Approving Authority (Deputy Director,\n                                                  DSCA).\n\n Accreditation under          No                  DSAMS was not accredited, but DSCA was\n DITSCAP?                                         following DITSCAP to certify and accredit DSAMS,\n                                                  and planned for accreditation by the end of calendar\n                                                  year 2002.\n\n Not DITSCAP,                 No                  DSAMS was not accredited prior to the current effort\n describe other.                                  to accredit under DITSCAP.\n\n Formal                       No                  No formal SSAA had been developed for DSAMS.\n documentation in                                 DSCA planned on developing an SSAA to formally\n effect? (SSAA or                                 document DSAMS certification and accreditation\n other certification                              processes.\n and accreditation\n documentation)\n\n\n\n     \xe2\x88\x97\n         Some questions request a date only. If a date was provided, it can be implied that the answer was yes.\n\n\n\n                                                        15\n\x0c                                  Assessment Criteria Information\n\n                                 DSCA\n  Data Requested                Response\xe2\x88\x97                                Audit Results\nAccess controls in           Yes                 The DSAMS used passwords and user accounts.\nplace?\n                                                   \xe2\x88\x92 User accounts were user\xe2\x80\x99s first initial and full\n                                                      last name.\n                                                   \xe2\x88\x92 Passwords were from 8 to 15 characters long,\n                                                      and had at least one uppercase, one lowercase,\n                                                      and either one numeric or one special character.\n                                                   \xe2\x88\x92 After three unsuccessful login attempts, the\n                                                      DSAMS user account is deactivated.\n                                                   \xe2\x88\x92 Passwords expired every 90 days.\n\nRisk assessment and          No                  DSCA had not developed a DSAMS a risk\nmanagement plan                                  assessment and management plan at the time the\ncompleted?                                       matrix was submitted.\n\n                                                 DSCA subsequently completed the risk analysis and\n                                                 management plan. The plan addresses four threats\n                                                 and comprises five parts:\n                                                   \xe2\x88\x92 the threat,\n                                                   \xe2\x88\x92 the probability of the threat occurring,\n                                                   \xe2\x88\x92 the risk if the threat occurs,\n                                                   \xe2\x88\x92 the possible cost if the threat occurs, and\n                                                   \xe2\x88\x92 countermeasures that can be applied.\n\nSystem life-cycle            No                  DSCA had not developed a DSAMS life-cycle plan\nplan exists?                                     at the time the matrix was submitted. The system\n                                                 life-cycle plan was being developed as of June 2002.\n\nSystem security plan         No                  DSCA had not developed a DSAMS security plan at\nin place?                                        the time the matrix was submitted.\n\n                                                 DSCA developed a system security plan since the\n                                                 matrix was submitted.\n\n                                                 The plan provides an overview of DSAMS security\n                                                 requirements.\n\n\n\n    \xe2\x88\x97\n        Some questions request a date only. If a date was provided, it can be implied that the answer was yes.\n\n\n\n                                                       16\n\x0c                           Assessment Criteria Information (cont\xe2\x80\x99d)\n\n                                 DSCA\n  Data Requested                Response\xe2\x88\x97                                Audit Results\n\nProper personnel             Yes                 DSAMS had segregation of duties, with varying\nsecurity measures in                             levels of access and control.\nplace? (includes                                    \xe2\x88\x92 Designers, developers, programmers, testers,\nassignment of duties                                    and system administrators all had automated\nand segregation of                                      data processing level I, II, or III access\nduties)                                                 privileges.\n                                                    \xe2\x88\x92 The level of automated data processing access\n                                                        privileges granted was based on each\n                                                        position\xe2\x80\x99s job description.\n\n                                                 Passwords were required to be changed every 90 days.\n\n                                                 User accounts were closed after 180 days of inactivity.\n\n                                                 Unresolved issues from prior audit:\n                                                   \xe2\x88\x92 DSCA was not requiring completed security\n                                                      background investigations before allowing\n                                                      users and developers access to DSAMS.\n                                                   \xe2\x88\x92 Contractor employees without completed\n                                                      background investigations have been develop-\n                                                      ing DSAMS, some since calendar year 1996.\n                                                   \xe2\x88\x92 Initial security background investigation\n                                                      requests for contractor employees were not\n                                                      submitted till FY 2000, and most of the\n                                                      clearances were still pending.\n\nPhysical security            Yes                 All DSAMS hardware was secured by DISA at\ncontrols in place?                               DECC Oklahoma City.\n                                                 DECC Oklahoma City received DITSCAP\n                                                 accreditation on September 15, 2000.\n                                                    \xe2\x88\x92 DECC Oklahoma City support and\n                                                        administrative areas were protected by at least\n                                                        one physical barrier.\n                                                    \xe2\x88\x92 DECC Oklahoma City computer room was\n                                                        protected by at least three physical barriers.\n                                                 The Defense Security Assistance Development\n                                                 Center network, Mechanicsburg, was secured by at\n                                                 least two physical barriers.\n\n    \xe2\x88\x97\n        Some questions request a date only. If a date was provided, it can be implied that the answer was yes.\n\n\n\n                                                       17\n\x0c                           Assessment Criteria Information (cont\xe2\x80\x99d)\n\n                                 DSCA\n  Data Requested                Response\xe2\x88\x97                                Audit Results\n\nAdministrative               Yes                 DSCA had established a help desk and an audit trail\ncontrols in place?                               for DSAMS.\n(includes help desk\nand audit trail)\n\nContingency plans            No                  DSCA had a year 2000 DSAMS business\nin place?                                        contingency plan. The plan had two contingency\n                                                 plans of action.\n                                                    \xe2\x88\x92 Short-term loss (less than 1 week): Users of\n                                                       the system would hold work until DSAMS\n                                                       became operational.\n                                                    \xe2\x88\x92 Prolonged loss (in excess of 1 week): Manual\n                                                       means would be put into effect (typewriters,\n                                                       word processors, faxes, telephones, couriers,\n                                                       and the use of existing reports), and data would\n                                                       be inputted when DSAMS became operational.\n\n                                                 If DECC Oklahoma City operations site were to\n                                                 become inoperable, DSAMS would be restored at a\n                                                 DISA backup operations site in Louisiana from the\n                                                 nightly DSAMS backup file.\n\n                                                 The contingency plan was being revised to address\n                                                 additional events.\n\nDate contingency             Blank               The contingency plan had not been fully exercised.\nplans last exercised?                              \xe2\x88\x92 DSAMS has been down for short-term periods.\n                                                   \xe2\x88\x92 DSAMS data backup and recovery processes\n                                                       had been exercised.\n                                                   \xe2\x88\x92 DSAMS was exercised at the backup\n                                                       operations site in June 2002.\n\nHardware and         Yes                         The DSCA response was incorrect. As of June 2002,\nsystem software                                  DSCA still did not have maintenance plans in place\nmaintenance plans in                             for DSAMS.\nplace? (includes\nversion control\ntesting)\n\n\n    \xe2\x88\x97\n        Some questions request a date only. If a date was provided, it can be implied that the answer was yes.\n\n\n\n                                                       18\n\x0c                           Assessment Criteria Information (cont\xe2\x80\x99d)\n\n                                 DSCA\n  Data Requested                Response\xe2\x88\x97                                Audit Results\n\nData integrity               Yes                 DSAMS was protected by virus detection and\nprocesses in place?                              communication encryption software.\n(includes virus                                  DSAMS data integrity is managed under the DECC\nscans, system                                    Oklahoma City, DITSCAP-accredited system\nperformance                                      procedures and processes.\nmonitoring)\n\nSecurity incident            Blank               DSCA did not have a security incident response plan\nresponse plan in                                 at the time the matrix was submitted. However,\nplace?                                           DSCA subsequently developed a plan. The plan\n                                                 addresses:\n                                                    \xe2\x88\x92 unauthorized intrusions;\n                                                    \xe2\x88\x92 classified message incidents;\n                                                    \xe2\x88\x92 malicious code;\n                                                    \xe2\x88\x92 fraud and theft;\n                                                    \xe2\x88\x92 errors in and omissions of data;\n                                                    \xe2\x88\x92 employee sabotage and abuse; and\n                                                    \xe2\x88\x92 denial of service incidents.\n\n\n\n\n    \xe2\x88\x97\n        Some questions request a date only. If a date was provided, it can be implied that the answer was yes.\n\n\n\n                                                       19\n\x0c                         Operations and Assessments Interest Items\n\n                                 DSCA\n  Data Requested                Response\xe2\x88\x97                               Audit Results\n\nProtected by IDS             Yes                 DSAMS was protected by IDS.\n[Intrusion Detection\nSoftware]?                                       DECC Oklahoma City provides DSAMS IDS\n                                                 support as part of their operations.\n\nBoundary protection          Yes                 DSAMS was protected by boundary protection\nin place? (For                                   (firewalls).\nexample, firewall)                                  \xe2\x88\x92 DECC Oklahoma City provides DSAMS\n                                                       boundary protection as part of its operations.\n                                                    \xe2\x88\x92 Unsuccessful login attempts are tracked.\n\nRed and blue team            No                  No red and blue team assessments had been\nassessment? (Date)                               performed on DSAMS.\n\n                                                 A red and blue team assessment was performed for\n                                                 the DECC Oklahoma City site.\n\nConnection                   Yes                 DSAMS had a formal interface agreement with\napproved?                                        the Defense Finance and Accounting Service\xe2\x80\x99s\n                                                 Defense Integrated Financial System.\n\n                                                 DSAMS had interface design specifications for\n                                                 internal DSCA systems\n\nIAVA [Information     Yes                        DSCA had an IAVA policy in place and had\nAssurance                                        allocated the personnel resources required to\nVulnerability Alerts]                            implement it. DSCA is using the DISA IAVA\ncompliant?                                       handbook as its IAVA policy.\n\nVAAP [Vulnerability Blank                        No VAAP assessment had been completed for\nAnalysis and                                     DSAMS.\nAssistance Program]\nassessment complete?\n(Date)\n\n\n\n\n    \xe2\x88\x97\n        Some questions request a date only. If a date was provided, it can be implied that the answer was yes.\n\n\n\n                                                       20\n\x0c                   Operations and Assessments Interest Items (cont\xe2\x80\x99d)\n\n                                 DSCA\n  Data Requested                Response\xe2\x88\x97                               Audit Results\n\nJoint Staff integrated Blank                     No joint staff integrated vulnerability assessments\nvulnerability                                    had been completed for DSAMS.\nassessments\ncomplete? (Date)\n\nSystem requirements Blank                        No system requirements reviews had been\nreviews complete?                                completed for DSAMS at the time DSCA submitted\n(Date)                                           the matrix.\n\n                                                 However, a system requirements review by DISA\n                                                 of DECC Oklahoma City included a review of\n                                                 DSAMS.\n\nBalance                      Blank               No balance survivability assessment had been\nsurvivability                                    completed for DSAMS.\nassessment\ncomplete? (Date)\n\nIntegrated                   Blank               No integrated vulnerability assessment had been\nvulnerability                                    completed for DSAMS.\nassessment\ncomplete? (Date)\n\n\n\n\n    \xe2\x88\x97\n        Some questions request a date only. If a date was provided, it can be implied that the answer was yes.\n\n\n\n\n                                                       21\n\x0cApplicable Acronyms\n\nASD(C3I)          Assistant Secretary of Defense (Command, Control,\n                     Communications, and Intelligence)\nDECC              Defense Enterprise Computing Center\nDISA              Defense Information Systems Agency\nDITSCAP           Defense Information Technology Security Certification and\n                     Accreditation Process\nDSAMS             Defense Security Assistance Management System\nDSCA              Defense Security Cooperation Agency\nGISR              Government Information Security Reform\nIAVA              Information Assurance Vulnerability Alerts\nIDS               Intrusion Detection Software\nSSAA              System Security Authorization Agreement\nVAAP              Vulnerability Analysis and Assistance Program\n\n\n\n\n                              22\n\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Director, Defense-Wide Information Assurance Program\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\n   Inspector General, Defense Information Systems Agency\nDirector, Defense Logistics Agency\nDirector, Defense Security Cooperation Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                          23\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations,\n  Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                          24\n\x0cTeam Members\nThe Readiness and Logistics Support Directorate, Office of the Assistant\nInspector General for Auditing of the Department of Defense prepared this report.\nPersonnel of the Office of the Inspector General of the Department of Defense\nwho contributed to the report are listed below.\n\nShelton R. Young\nKimberley A. Caprio\nTilghman A. Schraden\nKathryn L. Palmer\nWalter S. Bohinski\nGlen B. Wolff\nDaniel L. Messner\nElizabeth N. Shifflett\n\x0c'